- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
10-22-2014 01:27 AM
Hallo all,
i have only one phyical ethernet interface on firewall which is facing the internet. I also want to make this PA firewall as an IPSEC Tunnel endpoint. So all my internal traffic uses this ethernet interface to go to internet. And VPN traffic should terminate on the same interface.
Is this possible? If yes, how can I implement it? Any documentation or procedures?
Thanks a lot!
10-22-2014 09:29 AM
Hello Amit,
For the most part this is typically how most of the users will be using, ie 1 public ip and many services like outbound NAT, IPSec, GlobalProtect, Remote access etc. So this will work.
For outbound traffic, you will need the following:
-outbound NAT, translate source to the public IP
-appropriate static routes to default gateway as discussed earlier.
-security rules
For IPSec, you may follow this document:
Regards,
Dileep
10-22-2014 01:56 AM
Hello Amit,
I hope you are using this PAN firewall only to scan traffic. If so, you can implement above mentioned setup. You have to configure different route for both physical interface and through the VPN tunnel.
For example:
>>>>> For all internet traffic through physical interface : Destination 0.0.0.0 - next hop ISP ipaddress ( next hop)
>>>>> For VPN traffic : Destination : source subnet behind IPSec tunnel , interface- tunnel.xx, next hop- None
Hope this helps and let us know the result.
Thanks
10-22-2014 02:40 AM
Hi Hulk
Ok I will try it out and let you know.
Also, in the VR, I should always mention either the Interface or the Next Hop, but not both, right?
10-22-2014 03:49 AM
Yes, you can use single ethernet interface towards internet for all functionality: user access to web, IPSEC VPN termination, GlobalProtect portal and gateway, external management of firewall (in that case mgmt port changes to 4443)..
10-22-2014 07:50 AM
Hi Amit,
You can achieve this through static route. You need to create two sort of static route.
1. Default route pointing towards ISP ethernet interface.
2. Set of static routes Pointing towards tunnel interace. But for that make sure those routes exist in Proxy IDs of IPsec tunnel.
Let me know if this helps.
Regards,
Hardik Shah
10-22-2014 08:01 AM
Hello Amit,
In the VR, you may select both "interface" and "next-hop" at the same time in static route configuration. But, in common scenario,if IPSec tunnel is not configured with an IP, hence you may only select "interface" [ Outgoing interface] option.
Thanks
10-22-2014 08:19 AM
Hi Amit,
For any static route next hop is required just like another vendors.
But for static routes for tunnel, you can skip next hope. You can select it as none.
Many customers doesnt configure IP on Tunnel, hence they can just point route to tunnel and skip the next hop.
However if tunnel has IP address you can configure it, but its optional. Not a mandatory thing.
Regards,
Hardik Shah
10-22-2014 09:29 AM
Hello Amit,
For the most part this is typically how most of the users will be using, ie 1 public ip and many services like outbound NAT, IPSec, GlobalProtect, Remote access etc. So this will work.
For outbound traffic, you will need the following:
-outbound NAT, translate source to the public IP
-appropriate static routes to default gateway as discussed earlier.
-security rules
For IPSec, you may follow this document:
Regards,
Dileep
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!